Cloud Contact Center. Security White Paper

Transcription

1 Cloud Contact Center Security White Paper

2 Introduction Customers communicate with organizations in a variety of forms from phone conversations to , web chat and social media. As each interaction may contain sensitive and confidential information, security has become a top requirement for consumers and enterprises alike. Many companies are turning to cloud-based solutions for more robust security as part of their contact center strategy. Cloud contact center solutions provide many advantages over traditional on-premise solutions, including the lower upfront capital expenditure, deployment flexibility and scalability, relief of infrastructure installation and maintenance, and an instant gateway to advanced capabilities. One important benefit of cloud contact center solutions is the relief of security implementation. This built-in benefit with the right cloud contact center solution can translate into significant cost savings. Mitel has implemented security measures that take a comprehensive multiple-layer approach that has been certified to meet industry s standards including Payment Card Industry - Data Security Standards (PCI-DSS) and Health Insurance Portability and Accountability (HiPAA) compliance. In fact, Mitel has been providing secure cloud contact center solutions to leading enterprises, including some of the largest financial and insurance companies in the world, for over a decade. Overview Mitel s security strategy provides controls at multiple levels of data storage, access, and transfer. The strategy includes the following components: Physical Security Network Security Platform Security Application Security Data Security Human Security Compliance Physical Security Mitel s MiContact Center Live Cloud solution for large enterprises operates in Tier 4-class data centers. Each data center employs the same physical security standards and is controlled by multiple security parameters including: Electronic entry systems that require each person who enters a data center have a valid badge and pass biometric controls System access includes multiple levels of authentication including two layers of biometric authentication Surveillance cameras supported by infrared, ultrasonic and photoelectric motion sensors Alarm systems deployed throughout the datacenters Armed security guards on duty 24x7 Exterior walls constructed of steel reinforced poured concrete or reinforced masonry that exceeds building code requirements for structural strength Multiple Internet connections to block intentional disruptions of service Multiple power connections with generator backup Fire suppression systems Tracking and recording of all access made to the data center Network Security MiContact Center Live uses network elements that interconnect systems and information across multiple locations. Mitel achieves network security through technical systems and processes including the following: Firewalls: Multiple layers of firewalls are deployed Web Application Firewall (WAF): Analyzes application level activity in real-time to detect and block malicious activity Segmentation: Systems are broken up in logical groups with restricted access to other groups, helping to contain intrusions that may occur Intrusion Detection Systems (IDS): Detects suspicious activity Data Encryption: Ensures added security when data travels over our internal network and when customers access the information externally over other types of networks 2 Mitel

3 SECURITY VULNERABILITY ASSESSMENTS Internal and external network vulnerability scans are conducted each quarter (at a minimum) and after significant changes in the network (e.g. new system component installations, changes in network topology, firewall rule modifications, product upgrades). As a result: All potential vulnerabilities identified are communicated to appropriate Mitel personnel for remediation All high-level vulnerabilities are scheduled to be corrected within 10 days Medium-level vulnerabilities are corrected and subject to Change Control Policy Follow-up scans confirm compliance with Mitel security standards In addition, the Mitel Security Operations Center (SOC) staff engages in efforts to monitor activities on the Mitel network 24x7x365. The SOC team manages the network to detect and prevent threats and to maintain recovery control and audit logs of all activities of all users. This allows the security team to assist any necessary investigations or audits. Platform Security As a cloud-based solution, MiContact Center Live was built as a multi-tenant solution with distributed systems on an application architecture to preserve the security of each tenant. The platform has designed the platform with tight security in mind around servers and the operating system, middleware and application/ multi-tenancy stack. In the past year the MiContact Center platform has: Processed billions of dollars through the platform Supported 144 million calls on the Mitel platform for 531 million minutes That s over a thousand years of voice calls! Supported hundreds of clients within Financial Services, Healthcare, High Tech, Insurance and Retail Collected over 25 million credit card numbers (PCI-DSS) Collected over 4 million bank account numbers Processed 100+ million instances including Personally Identifiable Information (PII) Collected tens of millions of medical data artifacts (HIPAA) HIGH AVAILABILITY To minimize service interruption due to hardware failures, natural disasters, Denial of Service (DoS) attacks, or other catastrophes, a disaster recovery plans has been implemented for all MiContact Center Live data centers. This program includes: Geographically dispersed data centers that operate in activeactive mode. Redundant applications that provide backup capabilities. If the primary server goes out of service, a backup server acts as the primary server. LOAD DISTRIBUTION MiContact Center Live deploys proxy and parallel servers to add efficiency to large-scale configurations. The use of these technologies reduces the loss of functionality and data caused by an outage or security attack. MULTI-TENANT SECURITY MiContact Center Live separates tenant applications and data. This isolation and separation preserves the integrity of each tenant environment and its data. Mitel supports the following tenant separations: Server level: Each tenant has a unique and isolated (virtual or physical) environment with a single management system. Data level: The application is designed so that access across tenants is securely administered. Mitel may deploy different tenant separate methodologies depending on the features that a customer orders. Application Security Mitel has deployed the following application security methodologies: SECURE BY DESIGN Secure Software Installation Controls: Access to Mitel applications uses multi-level authentication and all access is logged. Prudent Configuration of Access Controls: Least Privilege and Need-to-Know principles are applied during the design of the applications. 3 Mitel

4 HOLISTIC SECURITY Users access the MiContact Center Live Platform in the Cloud via our Secure Sign-in feature. Customers can adjust their level of password strength and expiration policies to fit their needs. The platform provides a rolebased and IP-based permission systems, giving you fine grained control over who in your organization has to access to specific applications and data. In addition, we offer several unique capabilities to ensure that your customers data remains secure. Mitel s Secure Exchange feature, for example, allows callers to securely provide sensitive personal information while ensuring that agents do not hear or have access to that data. Data Security Security and privacy of customer data is extremely important to Mitel and is an essential element of our client relationship. Mitel ensures particular security measures and attention to customer data are addressed as detailed in the following sections. POLICY AND PROCEDURES Security Policy and Procedures for MiContact Center Live include provisions to protect customer data from unauthorized access by implementing access controls and employing data and protocol encryption. DATA COLLECTION Mitel views secure customer data collection and retention as a top priority. To address this business goal, Mitel employs a variety of practices and procedures. End customer data must be kept private when it is collected, such as when an end customer makes a purchase or provides personal information necessary to receive support or benefits. Mitel protects and maintains the security of that data in its possession until it is deleted or destroyed in accordance with defined data retention periods and data deletion procedures. DATA ENCRYPTION DATABASE SERVERS Customer data is stored on Mitel database servers on a secure database VLAN. Database access is limited to authorized operations and engineering teams. Logical access is protected in the MiContact Center Live application hosted on web servers in a DMZ, utilizing 128-bit SSL cipher key minimums, and requiring unique usernames and passwords to authorized users. User access and database transactions are logged. Human Security Background and reference checks are performed on all personnel who are authorized to access customer data. In addition, all employees must review and certify a full understanding of the Mitel s Policy and Procedures, which includes: Data retention Employee security awareness training and management Data storage and transmission Security vulnerability assessment program Acceptable usage of Mitel s systems Fraud Detection A specialized team can audit and gather information regarding potentially fraudulent activity. Automatic monitoring systems detect anomalies in the behavior of agents. Manual review and investigations are conducted when required. Constant tuning of heuristic detection methods to identify fraudulent activities. Compliance Procedures have been implemented to ensure high levels of compliance to legal and consumer laws. Compliance measures and achievements adhere to a broad range of laws and regulations governing electronic information security. Always consult your legal counsel to ensure you understand what regulatory and compliance requirements are appropriate for your specific use of MiContact Center Live and its features. Sensitive data is stored in 2048-bit RSA encrypted secured databases. These databases are not accessible to agents who have access to MiContact Center Live. Call recordings are encrypted on a hardened appliance using the AES256 encryption standard in accordance with NIST FIPS (US Federal Information Processing Standard). 4 Mitel

5 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI) What is PCI-DSS? PCI is a certification required by Visa, MasterCard and other major credit card processors for ensuring data security and privacy. PCI certification protects a company from liability if credit card data is stolen or compromised. For more information, visit: https://www. pcisecuritystandards.org/. Who is required to adhere to PCI-DSS? Any company (merchant or service provider) that stores, transmits, records, or acts as a gateway for credit card information is required to become PCI-DSS compliant. How does Mitel comply with PCI-DSS? Mitel is fully compliant with the 12 Security Domains of PCI-DSS Level-1 service provider. Compliance is audited and certified yearly by an independent 3rd party, Qualified Security Assessor. What parts of Mitel s services are in compliance? The following components have been certified for use with PCI-DSS related data: Mitel telephony components. IVR system, including the Secure Exchange feature. Call recording and playback system. Mitel Scripting system (e.g., credit card collection screens). Mitel real-time fulfillment. Mitel batch fulfillment. Mitel s data centers located in the United States, Australia and Europe. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) What is HIPAA? Enacted in 1996, HIPAA regulations require companies to adopt policies and procedures to protect the privacy and security of Protected Health Information (PHI). Covered Entities, as defined in the regulations, which include health insurers and billing processors, must fulfill the requirements defined under HIPAA s privacy and security rules. These rules define administrative, physical and technical safeguards for PHI. For more information, visit: Who is required to adhere to HIPAA? The Privacy Rule applies to health plans, healthcare clearing houses, and any health care provider who electronically transmits health information in connection with certain transactions, which include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which the U.S. Department of Health and Human Services has established standards under the HIPAA Transactions Rule. How does Mitel comply with HIPAA? MiContact Center Live security procedures and controls meet customer HIPAA compliance requirements. What parts of Mitel s services are in compliance with the HIPAA requirements? Mitel is in compliance with HIPAA requirements in accordance with the following security features: Call recording encryption. Strict access controls. Access logging. Auditing & reporting systems. Configurable data sensitivity levels on collected data:»» Confidential: Normal access control.»» Highly confidential: Restricted access.»» Highly confidential - FMG : Encrypted, no user access. 5 Mitel

6 SAFE HARBOR What is Safe Harbor? The U.S. Department of Commerce, in concert with the European Commission, developed the Safe Harbor Framework to allow U.S. organization to comply with the directive by agreeing to abide by the Safe Harbor Privacy Principles. Companies certify their compliance with these Principles on the U. S. Department of Commerce website. The Framework, approved by the EU in 2000, gives companies assurance that the EU will consider their practices adequate for data transfers between the U.S. and both the EU and Switzerland. For more information, visit: Summary Mitel employs a multi-layered security strategy that support a cloud contact center platform used by leading enterprises and business worldwide. The MiContact Center Live solution provides heightened security and high availability at no additional cost, saving our clients excessive overhead and expenses. How does Mitel comply with Safe Harbor? Mitel complies with the U.S. E.U. Safe Harbor framework and the U.S. - Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Written by Ian Maclaren Portfolio Manager Contact Center Cloud Solutions Bringing a broad range of expertise and leadership in defining and managing telecommunications product portfolios, Ian Maclaren joined Mitel in 2014 with a mission to help organizations understand the role of the cloud in contact centers. He s responsible for Mitel s cloud contact center portfolio, including both MiCloud Contact Center and MiContact Center Live. Ian comes to Mitel following extensive management and global product experience at Avaya and Nortel, including time as Product Manager for SMB cloud communications at Avaya. Follow Ian Maclaren online: https://ca.linkedin.com/in/ianmaclaren mitel.com Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of ownership of these marks R0714-EN

Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

provides security and reliablity. Achieving the highest level of security within IVR, Web and mobile customer service applications while meeting the challenges of security certification, compliance and

Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

HIGHTAIL FOR ENTERPRISE: SECURITY OVERVIEW Secure and control how your business shares files using Hightail Information the lifeblood of any business is potentially placed at risk every time digital files

White Paper Contact Center Security: Moving to the True Cloud Today, Cloud is one of the most talked about trends in the IT industry. It s a paradigm many believe will have a widespread business impact.

IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.

Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

twilio cloud communications SECURITY ARCHITECTURE July 2014 twilio.com Security is a lingering concern for many businesses that want to take advantage of the flexibility and ease of cloud services. Businesses

Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

ARCHITECTURE & APPLICATION CONTROL A technical overview of BoldChat s security. INTRODUCTION LogMeIn offers consistently reliable service to its BoldChat customers and is vigilant in efforts to provide

Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting

White Paper Server How SUSE Manager Can Help You Achieve Regulatory Compliance Table of Contents page Why You Need a Compliance Program... 2 Compliance Standards: SOX, HIPAA and PCI... 2 What IT Is Concerned

Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL

Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

HOW MX PROTECTS YOUR DATA Overview MX is passionate about and dedicated to protecting, safeguarding, and securing customer data. To do so, MX has established a strong security program supported by a comprehensive

SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,

SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several